Post navigation

Amazon and Apple Flaw

It was 5 p.m. when Mat Honan, journalist for wired, knew that he was being hacked. Later that night he discovered that a hacker called Phobia had hacked his email, Twitter, Amazon, iCloud account, and wiped his iPhone and MacBook’s hard drive. After Honan set up a new Twitter account and tweeted about the hack Phobia messaged him and told Honan how he was about to hack into all his accounts and why he did it.

Phobia’s reason for hacking Honan was because he wanted his Twitter handle @mat. The first thing that Phobia did was figure out that Honan had a Gmail account. From Google’s account recovery page Phobia was able to find a partial of another email that Honan had which happened to be his Apple @me e-mail. In order for Phobia to gain access to Honan’s Apple account all Phobia needed was a billing address, the last four digits of Honan’s credit card, and a simple phone call to Apple’s tech support. The way the Phobia got the billing address was a simple search on the internet. For getting the last four digits of Honan’s credit card number Phobia had a partner that did this part. His partner first called Amazon and said that he wanted to add a credit card number to the account. To do this all Amazon requires is the billing address and the email address that goes with the account. Then Phobia’s partner call again and said that he could not access the account and by giving them the billing address, Honan’s name, and the credit card number that Phobia’s partner had just attached to the account, Amazon let him add a new email account and sent him a temporary password to regain access to the account. With access to the Amazon account Phobia was able to see the last four digits of all the credit cards on Honan’s account. Now that Phobia had the last four digits of Honan’s credit card, his name, and his address, Phobia called AppleCare and was able to gain access to Honan’s Apple email and also his Gmail account.

In his article about the hacking Honan talks about some of the measures he could have taken to prevent this from happening. The major one that he did not due was use Google’s two-factor authentication. Two of the other things he mentions where that he should have been backing up his MacBook regularly, which would have meant that Honan would have not lost all the pictures of his 1 year old daughter and many work related files, and not using the same email for all of his accounts. But this still poses the question that if a 19 year old kid and his friend can get into a person’s accounts, with little to no training and actual hacking, and wipe a person’s MacBook and iPhone what will happen when Windows 8 comes out which supports cloud? Could we see more of these incidents and could we even see it on a larger scale if better security measures are not implemented?

9 thoughts on “Amazon and Apple Flaw”

I feel that Apple and Amazon should work together and try to make it safer for their customers but in reality we know that it will never happen. One thought i had about making it more secure was to ask the caller questions like how they do on the computer if you forget your password and have to change it. It may not work but it was just a thought.

It would be nice if we had the luxury of companies working together to try and limit the amount of information that someone could see if your account was hacked but unfortunately it is most likely that they wont.

Most systems have a password reset system like this. It’s handy if you forget your password, but opens another line an attacker can attempt to get through. I wonder if it might be more secure to just have the one opening of getting a valid password.

I may be getting this confused with another presentation, but was it discussed in class that Phobia is a Grey hat hacker? If so, I was under the impression they just hack willy nilly with no actual intent or hidden agenda. Seems to me that this Phobia guy had something against Mat other than the fact he wanted his Twitter tag.

For example, deleting all of his pictures? That’s pretty scummy. While you could argue that he did eventually get Apple and Amazon to change their security policies, he could have tried to be less of a jackass.

Phobia did contact Mat directly over twitter and he said that he had nothing against him and that he just wanted his twitter handle. Phobia also said that his partner wiped his hard drive. Then again you can’t really trust a person that has hacked your accounts.

It’s certainly frightening that with only a tiny bit of information and a good impersonating talent, someone can easily find their way into your entire digital profile. Companies really need to start being more careful when it comes to their customer service so that things like this can’t happen so easily.

As an avid Wired reader, I followed this story over the summer. Mat’s story was not only a great example of social engineering, but the prevalence of security flaws in major companies. Sadly for Mat, it takes the wronging of one to make change for many. Hopefully incidents like this can be prevented in the future.